Corporate America is ripe for phishing

A new survey released Tuesday by the Chantilly, Virginia-based security and anti-spam company PhishMe has a lot to say about filtering phishing attack emails in the corporate environment. PhishMe conducted a survey at this year's Black Hat hacker conference in Las Vegas, July 24th to the 26th. PhishMe surved 250 security professionals, of whom more than two thirds (69 percent), have said they encounter phishing messages that get past anti-spam filters at least a few times a week. Nearly a quarter of those surveyed say they see multiple phishing emails daily in their corporate network users' mailboxes.

"Phishing" is the name given to a form of an email attack that uses social engineering tactics to lull the recipient into a false sense of security in order for them to click links within the email. The email can have links that look like they go to real sites, but are in fact redirecting Unicode Urls that don't show up properly in most email clients still. The point of these emails is to gather user information though man-in-the-middle style attacks, or to get the user to malicious websites that can execute malicious code, installing viruses or rootkits on a system. A more targeted form of this type of attack is called "Spear Phishing", an email attack in which the phishing emails are targeted to a specific person or group of people, usually people within an organization that shares a common set of information.

According to PhishMe, spear phishing has become the top method of infecting enterprise systems with malware. In the survey, more than one quarter (27 percent) of security professionals said that top executives, or other privileged users in their enterprises have been compromised (and thus comprised their internal networks) by spear phishing attacks within the last 12 months. It's like someone buzzing your apartment door, saying they live in another apartment and forgot their keys, and you let them in only to have them break in and rob other tenants.

Another 31 percent of network professionals said they weren't sure whether their executives or privileged users had been hit with such attacks.

"Many enterprises believe that because they are using spam filtering tools or other email security technologies, they are safe from phishing attacks," says Scott Greaux, Vice President of Product Management and Services at PhishMe. "What we found in our survey is that despite such filters, end users are presented with live, malicious attacks in their inboxes nearly every day."

But with this vast amount of unfiltered phishing messages getting through spam detection systems, surely large companies are being proactive in training, right?

Sadly, PhishMe's survey of Black Hat attendees indicates that most end users receive only the bare minimum of security awareness training. Nearly half (49 percent) of the professionals surveyed said their corporate network users receive training as much as only once a year. Even worse, nine percent said their organizations have no security training programs at all, sending untrained and usually very naive users to work as easy vectors of attack.

Those surveyed stated that of the companies that do provide security training programs, many rely on repetitively scripted, sometimes outdated, delayed forms of training. Training that provides little in the way of significant knowledge or metrics to program managers or administrators. In fact, three of the top four training methods listed by Black Hat attendees include:

recorded video/computer-based training, 39.4 percent

paper tests/quizzes, 32.9 percent

handbooks/printed guides, 28.5 percent

Many of the security professionals surveyed by PhishMe deemed all of these methods as largely unsuccessful as they lacked practicum knowledge and training in realistic simulated situations. Only 16 percent of security professionals surveyed say that their companies' trained their users via simulated attacks.

"This survey demonstrates with great clarity that phishing attacks - particularly targeted attacks - are getting through to end users with alarming regularity, yet most organizations don't train their users on what the most current attacks look like or how to react to them," says Aaron Higbee, CTO and co-founder of PhishMe. "If enterprises are going to protect themselves, they need a realistic, regular training regimen that helps users make the right decisions when they see a potential phishing attack - passive security awareness that doesn't focus on tracking behavior modification is ineffective."